s3:lib:tls: Use better priority lists for modern GnuTLS

We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184

1 files changed, 9 insertions, 2 deletions

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ce2aca2c5a4..0ceaa7d8edf 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -886,8 +886,15 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
 	lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
 	lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
-	lpcfg_string_set(Globals.ctx, &Globals.tls_priority,
-			 "NORMAL:-VERS-SSL3.0");
+#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+	lpcfg_string_set(Globals.ctx,
+			 &Globals.tls_priority,
+			 "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+#else
+	lpcfg_string_set(Globals.ctx,
+			 &Globals.tls_priority,
+			 "NORMAL!-VERS-SSL3.0");
+#endif
 
 	lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");